Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

Encryption & Decryption with RSA_PKCS1_PADDING algorithm in Express js

I am using express js. Encryption and decryption completely works in node version 14 BUT in node version 20 it says RSA_PKCS1_PADDING is no longer supported for private decryption, this can be reverted with --security-revert=CVE-2023-46809

I don't want to use security-revert=CVE-2023-46809

Besides I have to use RSA PKCS1 PADDING algorithm with PKCS1 padding algorithm

Thanks in advance

const crypto = require('crypto');

encrypt(data) {
   const signerObject = crypto.publicEncrypt(
      { key: this.pubKey, padding: crypto.constants.RSA_PKCS1_PADDING },
      Buffer.from(JSON.stringify(data))
   );
   return signerObject.toString('base64');
 } 


 decrypt(data) {
    const decrypted = crypto
        .privateDecrypt({ key: this.privKey, padding: crypto.constants.RSA_PKCS1_PADDING },  Buffer.from(data, 'base64'))
      .toString();
    return JSON.parse(decrypted);
  }

Please propose solution for node version 20

like image 332
kasfik Avatar asked Jul 01 '26 23:07

kasfik


1 Answers

Your encryption method doesn't need to change. Change decrypt to:

import NodeRSA from "node-rsa"


export function decryptWithPrivateKey(encryptedData){
    const keyRSA=new NodeRSA(
        process.env.NEXT_PUBLIC_SERVER_PRIVATE_KEY.replace(/\\n/g, '\n'), "private", {encryptionScheme:"pkcs1"}
    )
    keyRSA.setOptions({environment:"browser"})//By default it will use the node crypto library with the CVE
    return keyRSA.decrypt(encryptedData)
}

// USE AS: const decryptedkey=decryptWithPrivateKey(encryptedData).toString('utf-8')

I used next.js code here but it should be easy to convert it to node.js

UPDATE

Node.js equivalent:

const NodeRSA=require('node-rsa');

decryptWithPrivateKey(encryptedData){
    const keyRSA=new NodeRSA(
        <your-private-key-here>, "private", {encryptionScheme:"pkcs1"}
    )
    keyRSA.setOptions({environment:"browser"})//By default it will use the node crypto library with the CVE
    return keyRSA.decrypt(encryptedData)
}

// USE AS: const decryptedkey=decryptWithPrivateKey(encryptedData).toString('utf-8')
like image 98
D. Rattansingh Avatar answered Jul 03 '26 15:07

D. Rattansingh